CVE-2021-1675 & CVE-2021-34527 :Windows Print Spooler Remote Code Execution Vulnerability

Windows

Overview (CVE-2021-34527 and CVE-2021-1675) :

The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well.

CVSS score:

CVECVSS
CVE-2021-34527CVSS:3.0 8.8 / 8.2
CVE-2021-1675CVSS:3.0 7.8 / 6.8

CVE-2021-34527

MetricValue
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVE-2021-1675

MetricValue
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

Cause And Impact:

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system.
One of the parameters to this function is DRIVER_CONTAINER object which contains information about which driver is to be used by added printer.
The argument, dwFileCopyFlags specifies how replacement printer driver files are to be copied.

Attacker can take the advantage as:

  • Any authenticated user can call RpcAddPrinterDriverEx() function and and specify a driver file that lives on a remote server.
  • Hence spoolsv.exe (print spooler service) can execute code in an arbitrary DLL file.

CVE-2021-1675 was addressed by the June 2021 security update by Microsoft.
On July 1, Microsoft released CVE-2021-34527. This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx().

Solution:

Microsoft has addressed this issue in the updates for CVE-2021-34527.
however this update doesn’t effectively prevent in certain conditions (NoWarningNoElevationOnInstall is set to a non-0 value)

Hence Microsoft has provided multiple workarounds:

1) Stop and disable Print spooler service.

Below commands can be used to disable print spooler services.


Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

However kindly note, we cannot print both locally and remotely.

2) Block RPC and SMB ports at firewall:

Blocking both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level can prevent remote exploitation of this vulnerability.

3) Set Registry key:

Following registry settings are set to 0 (zero) or are not defined
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting

NoWarningNoElevationOnInstall = 1 makes your system vulnerable by design.

4) Restrict printer driver installation ability to administrators :

After the Microsoft update for CVE-2021-34527 is installed, a registry value called RestrictDriverInstallationToAdministrators in the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ key is checked, which is intended to restrict printer driver installation to only administrator users
Please refer KB5005010 for more details.